PHP max_input_vars, form element limits and the suhosin patch

Just came across a belter of an issue with a ridiculously oversized form on a work website.

Background is the page has 200+ item types, each with 2 cost types, with each cost types having 4 tiers. 2x4x200 = 1600 input fields (not including other elements, like submit buttons, hidden fields etc).

I noticed that some of the later elements weren’t saving. In fact, dumping the $_POST to screen showed that they weren’t even making it to the form processing script. They’d just… disappeared.

I knew of a change in PHP 5.3.9 – the addition of max_input_vars, which allows you to specify the maximum number of elements allowed in a submission (apparently, in order to prevent DOS attacks using hash collisions). But as we’re currently running 5.3.8, it didn’t appear to be that.

Then, after a bit of Googling, it struck me – Suhosin patch. Sure enough, it seems Suhosin was enforcing a limit on the number of form elements that could be submitted in a single form, which makes sense seeing as it’s designed to “harden” PHP. The 2 offending directives are suhosin.post.max_vars and suhosin.request.max_vars, which are there to limit $_POST and $_GET input variables respectively.

So, if you forsee having more than 1000 elements in a single form, and you’re using the Suhosin patch, you should add the following to you php.ini file in order to allow it: